Finding user creation date on the Operating system is a key fact on security audit. This help us to ensure the validity of the user.

On Windows Operating System user creation date are analyised by checking Event viewers (Event ID 4720), Profiles creation date and net command.

1. Check on Event viewer. It would be good to enable the audit logs. Event ID 4720.

2. Profile creation date, help us to know the first login date.

*If the user have never login into the Operating System. System will not create a new profile folder.

3. Check the user status using net command.

Run -> cm -> net user username
On Linux Operating System user creation date are analyised by checking home directory creation, messages and auditlog.
1. Check the creation data of user home directory

# ls -ld /home/username/

=> result: drwx—— 5 username username 4096 Aug 28 22:07 /home/username/

2. Grep messages logs.

cat /var/log/messages | grep username

cat /var/log/messages.* | grep username

3. If system auditd are enabled. Search the logs using grep, aureport, ausearch commands. Daemon auditd collects audit subsystem logs and log them on /var/log/audit/audit.log. SELinux uses the audit subsystem.

* aureport –auth | grep username

* ausearch

These are two programs, ausearch and aureport, that provide retrieval capabilities. Ausearch is a grep program in that it can be given certain parameters and it will display any records that match. The aureport program was designed to aid in doing reports via awk, perl, or grep. It can select different kinds of information in the audit logs and present them in either columnar form or rankings. Some of the information it can select includes: logins, users, terminals, host names, executables, file access, avc objects, syscalls, watches, or event types.

cat /var/log/audit/audit.log | grep username

cat /var/log/audit/audit.* | grep username

Advertisements